With the current widespread use and variation of software applications in today's technology world, one of the most widespread methods of penetrating computer devices with malicious software involves the exploitation of vulnerabilities present in the software installed on the particular device.
To prevent the exploitation of vulnerabilities, companies and/or individuals will use both passive methods in the form of eliminating the vulnerabilities themselves and active methods in the form of detecting the actual exploiting of vulnerabilities. Passive methods are used for already known vulnerabilities, whereas active methods are used for both known and unknown vulnerabilities.
Existing detection technologies are in fact capable of detecting the actual exploiting of a vulnerability with the use of known techniques and mechanisms, but unfortunately these methods are not able to detect and prevent new techniques of exploitation of vulnerabilities that employ new principles and mechanisms of exploitation. For example, in order to make the execution of shellcodes (i.e., a small piece of code used as the payload in the exploitation of a software vulnerability) impossible, technologies have been developed that prevent execution in the stack, but in their place techniques of return-oriented programming have appeared. In general, return-oriented programming are computer security exploit techniques that allows an attacker to execute code in the presence of security defenses such as non-executable memory and code signing.
The existing defensive technologies have proven to be powerless against return-oriented programming. Thus, new solutions, for example, as described in U.S. Patent Publication No. 2016/0196428, have been developed to protect against these attacks. In view of these new solutions, there remains a need to detect a deviation in the functioning of a computer system from normal operation, which might indicate that the system has been attacked by a technique of exploiting a vulnerability in the software. The solving of this problem would make it possible to move away from the techniques of exploitation of vulnerabilities themselves, which are changing and improving, to focus on external symptoms of an attack, which remain the same when the techniques change.